THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
JIRA : SQOOP-1834 and its sub tickets, SQOOP-2048 and its sub tickets
Problem
Sqoop 2 needs a pluggable role based access controller (RBAC), which is responsible for the authorization to Sqoop 2 resources, such as server, connector, link, job, etc.
...
Resource, actions and rules
Resource | Global Namespace | Instance |
---|---|---|
Connector |
|
|
Link |
|
|
Job |
|
|
Server has three children: Connector, Link, Job.
- It is a hierarchy mode. If a user has the privilege of {server, all}, then he/she has all privileges of {connector, all}, {link, all} and {job, all}.
- If a user has the privilege of {job, all}, then he/she has both privileges of {job, read} and {job, write}.
- If a user want to create a link, then he/she need to have the privilege of {server, create}
Resource | Global Namespace | |
---|---|---|
Server |
| |
Connector |
| |
Link |
| |
Job |
| |
Resource | Action | Implicit action |
Connector | View | |
Connector | Use | View |
Link | Create | View, Update, Delete, Use, Enable_Disable |
Link | View | |
Link | Update | View, Delete, Use, Enable_Disable |
Link | Delete | View, Use, Enable_Disable |
Link | Use | View, Enable_Disable |
Link | Enable_Disable | View |
Job | Create | View, Update, Delete, Use, Enable_Disable, Start_Stop, Status |
Job | View | |
Job | Update | View, Delete, Enable_Disable, Start_Stop, Status |
Job | Delete | View, Enable_Disable, Start_Stop, Status |
Job | Enable_Disable | View |
Job | Start_Stop | View, Enable_Disable, Status |
Job | Status | View
Action | Privilege needed |
---|---|
show connector |
|
show link |
|
create link |
|
update link |
|
delete link |
|
enable link |
|
disable link |
|
show job |
|
create job |
|
update job |
|
delete job |
|
enable job |
|
disable job |
|
start job |
|
stop job |
|
show submission |
|
Authorization framework
...
Code Block |
---|
#org.apache.sqoop.authorization.handler=org.apache.sqoop.security.DefaultAuthorizationHandler #org.apache.sqoop.authorization.controller=org.apache.sqoop.security.DefaultAccessController #org.apache.sqoop.authorization.validator=org.apache.sqoop.security.DefaultAuthorizationValidator |
- Four metadata classes.
- Role
- principal
- This class defines user or group.
- Type: user, group, role.
- principal could be granted a role. i.e. if we want to grant a admin role to user hadoop, then grantRole (principal (name=hadoop, type=user), role (name=admin)).
- Resource
- This class defines four resources in Sqoop 2.
- Type: server, connector, link, job.
- Privilege
- Action: createall, view, update, delete, use, enable, disableread, write.
- with_grant_option: boolean, defines whether the role could grant this privilege to other role.
...
Code Block |
---|
Override public void createLinkPrivilige() throws SqoopAccessControlException { List<Privilege> privileges; privileges.add(new Privilege(new Resource("Link", "1"), "Create", null)); privileges.add(new Privilege(new Resource("Connector", "1"), "UseRead", null)); AuthorizationManager.getAuthenticationHandler.checkPrivileges(privileges); } |
...
Code Block |
---|
CREATE ROLE role_name
DROP ROLE role_name
SHOW ROLE |
Grant/Revoke Roles
Code Block |
---|
GRANT ROLE role_name [, role_name] ... TO principal_specification [, principal_specification] ... REVOKE ROLE role_name [, role_name] ... FROM principal_specification [, principal_specification] ... principal_specification: USER user_name | GROUP group_name | ROLE role_name |
...
Code Block |
---|
SHOW ROLE GRANT principal_specification
SHOW PRINCIPAL ON ROLE role_name
principal_specification:
USER user_name | GROUP group_name | ROLE role_name |
...
- Restful call API is handled by org.apache.sqoop.handler.AuthorizationEngine.java in sqoop-server
- PUT POST /authorization/roles/rolecreate
- Create new role with role_{name}
- DELETE /authorization/role/{role_-name}
- GET /authorization/roles
- Show all roles
- GET /authorization/principals?/role/{role_name={name}
- Show all principals in role with {role_name{name}
- GET /authorization/roles?principal_type={type}&principal_name={name}
- Show all roles in principal with {name, type}
- PUT /authorization/roles/grant_role
- Grant a role to a user/group/role
- PUT data of JsonObject role(role_name) and principal (name, type)
- PUT /authorization/roles/revoke_role
- Revoke a role to a user/group/role
- PUT data of JsonObject role(role_name) and principal (name, type)
- PUT /authorization/privileges/grant_privilege
- Grant a privilege to a principal
- PUT data of JsonObject principal(name, type) and privilege (resource (-name, resource-type), action, with_-grant_-option)
- PUT /authorization/privileges/revoke_privilege
- Revoke a privilege to a principal
- PUT data of JsonObject principal(name, type) and privilege (resource (-name, resource-type), action, with_-grant_-option)
- If privilege is null, then revoke all privileges for principal(name, type)
- GET /authorization/privileges?principal/_type={type}/&principal_name={name}?&resource_type={type}&resource_name={name}
- Show all privileges in principal with {name, type} and resource with {resource_-name, resource_-type}
- If resource is null, then show all privileges in principal with {name, type}
- PUT POST /authorization/roles/rolecreate
...